The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH.
On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
KeywordsEncryption Scheme Stream Cipher Secure Channel Symmetric Encryption Encryption Function
- 2.M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation“, Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE, 1997.Google Scholar
- 4.M. Bellare, J. Kilian and P. Rogaway, “ The security of cipher block chaining”, Advances in Cryptology-CRYPTO’94 Proceedings, Lecture Notes in Computer Science Vol. 839, Y. Desmedt, ed., Springer-Verlag, 1994. pp. 341–358.Google Scholar
- 5.M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm”, Advances in Cryptology-ASIACRYPT’00 Proceedings, Lecture Notes in Computer Science Vol. 1976, T. Okamoto, ed., Springer-Verlag, 2000.Google Scholar
- 6.Black, J., Halevi, S., Krawczyk, H., Krovetz, T., and Rogaway, P., “UMAC: Fast and Secure Message Authentication”, Advances in Cryptology-CRYPTO’99 Proceedings, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag, M. Wiener, ed, 1999, pp. 216–233.Google Scholar
- 8.Canetti, R., and Krawczyk, H., “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Advances in Cryptology-EUROCRYPT 2001 Proceedings, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag, B. Pfitzmann, ed, 2001, pp. 453–474. Full version in: Cryptology ePrint Archive (http://eprint.iacr.org/), Report 2001/040.CrossRefGoogle Scholar
- 9.T. Dierks and C. Allen, “The TLS Protocol-Version 1”, Request for Comments 2246, 1999.Google Scholar
- 10.D. Dolev, C. Dwork, and M. Naor. “Non-malleable cryptography”. Proceedings of the 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991.Google Scholar
- 11.A. Frier, P. Karlton, and P. Kocher, “The SSL 3.0 Protocol”, Netscape Communications Corp., Nov 18, 1996. http://home.netscape.com/eng/ssl3/ssl-toc.html
- 12.O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. http://www.wisdom.weizmann.ac.il/oded/frag.html
- 16.J. Katz and M. Yung, “Unforgeable encryption and adaptively secure modes of operations”, Fast Software Encryption’00, 2000.Google Scholar
- 17.J. Katz and M. Yung, “Complete characterization of security notions for probabilistic private-key encryption”, Proceedings of the 32nd Annual ACM Symposium on Theory of Computing, 2000.Google Scholar
- 18.S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol”, Request for Comments 2401, Nov. 1998.Google Scholar
- 19.S. Kent and R. Atkinson, “IP Encapsulating Security Payload (ESP)”, Request for Comments 2406, Nov. 1998.Google Scholar
- 20.H. Krawczyk, “LFSR-based Hashing and Authentication”, Proceedings of CRYPTO’ 94, Lecture Notes in Computer Science, vol. 839, Y. Desmedt, ed., Springer-Verlag, 1994, pp. 129–139.Google Scholar
- 21.H. Krawczyk, “The order of encryption and authentication for protecting communications (Or: how secure is SSL?)”. Full version: http://eprint.iacr.org/2001.
- 23.M. Naor and M. Yung, “Public key cryptosystems provably secure against chosen ciphertext attacks”. Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, 1990.Google Scholar
- 24.C. Rackoff and D. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack”, Advances in Cryptology-CRYPTO’91 Proceedings, Lecture Notes in Computer Science Vol. 576, J. Feigenbaum ed, Springer-Verlag.Google Scholar
- 25.P. Rogaway. “Bucket Hashing and its application to Fast Message Authentication”, Proceedings of CRYPTO’ 95, Lecture Notes in Computer Science, vol. 963, D. Coppersmith, ed., Springer-Verlag, 1995, pp. 15–25.Google Scholar
- 26.P. Rogaway, M. Bellare, J. Black, and T. Krovetz, “OCB Mode”, Cryptology ePrint Archive, Report 2001/026.Google Scholar
- 27.T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne, and S. Lehtinen, “SSH Transport Layer Protocol”, January 2001, draft-ietf-secsh-transport-09.txt.